October 15, 2012
When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore
This post features a discussion with Terri Sands, senior vice president of electronic banking and fraud management at State Bank & Trust Company in Atlanta, on the landscape for risk management for community banks.
P&R: Terri, we talk a lot about how payments are migrating from paper to electronic methods. How does this affect community banks in payment services today?
Terri Sands: It wasn't long ago that community banks viewed fraud as an issue reserved for their larger brethren. Smaller institutions were able to deal with one-off issues such as the occasional stolen checkbook or bank card or other fraudulent transactions on a case-by-case basis. And while those events may have added some expense for the community bank's bottom line, it was rarely viewed as a material event affecting the institution and its brand.
But over the past several years, fraud's impact on community banking significantly changed. Fraud has become a constant threat to financial institutions and other industries regardless of the size and complexity of the organization. In the midst of increased attacks on financial institutions and their customers' accounts, the industry has become increasingly concerned over how to effectively protect against fraud. Basically, you can't read the newspaper or read e-mails without some form of fraudulent attack that has hit the financial sector—some are minor, others are major. However, when fraud hits close to home, it is always significant, regardless of the dollar amount.
P&R: We've been hearing a lot about corporate account takeovers in recent years. Is this affecting community banks, and what can they do about it?
Sands: For community banks, corporate account takeover attacks initiated by computer viruses have become a particularly sinister problem. In those circumstances, a corporate customer has inadvertently installed a virus on a computer by clicking on a link embedded in an e-mail that then provides a fraudster with critical online banking credentials. The fraudster uses the online banking credentials—that is, the user ID and password—to reroute credit transactions to an account and then immediately withdraws funds or pays a "money mule" to withdraw the funds and wire the money to a designated account.
Corporate customers may not even realize their money has been stolen until they check or the bank checks the account. Regardless of how this virus occurred, the customer may feel uncertainty about security and about the bank's ability to protect their money in the future. So for many community banks, this type of fraud has truly been the turning point as it is hitting their customers and therefore hits closer to home—it has become reality.
Community banks have the same fraud risk management responsibilities as the larger banks. They should network with the industry and law enforcement to share information on attacks in an effort to collaborate on mitigation strategies and share intelligence about other types of attacks affecting their customers. This is a great way to further enhance any bank's risk and fraud management program. Community banks should also include customer education as part of an effective fraud management strategy, to help them to be more proactive in their own defensive practices to ward against fraud. Of course, as the industry is well aware, the interagency regulatory guidance published in June 2011 on authentication in an online banking environment also provides community banks with a roadmap for assessing a bank's risk profile and ensuring adequate protection against risk vulnerabilities.
P&R: Is fraud mainly an online problem today?
Sands: Fraud can happen online or offline. The risk may result from a simple form of social engineering such as a phone call or e-mail attempting to gain customer information or from an internal gap in the payment process that can be exploited. Either way, fraud management is not a one-time fix but an ongoing process. Community banks must remain ever-vigilant in efforts to protect consumers from risk of fraud and possible financial loss.
TrackBack URL for this entry:
Listed below are links to blogs that reference When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore:
September 24, 2012
Alternative Financial Services Grow, and So Do the Unbanked and Underbanked
The just-released 2011 FDIC national survey on unbanked and underbanked households reports that this demographic segment has shown modest growth since the 2009 survey. Despite improvements in the general economy, 20.1 percent of U.S. households are underbanked and 8.2 percent are unbanked completely. According to the FDIC's definition, underbanked consumers may have a traditional bank account, but they rely heavily on alternative providers for financial services (shortened to AFS in the FDIC report). As we described in a previous post on nonbanks, the landscape for AFS today is a highly dynamic free-market environment that fosters creativity and innovation. Will the confluence of a growing underserved market and the ever-expanding role of nonbanks in our U.S. payments system fuel the fire for increased reliance upon AFS in general?
Growing use of alternative financial services
The growing reliance on AFS became more widespread between 2009 and 2011. According to the 2011 FDIC report, about 25 percent of all households, including the unbanked and underbanked, reported using AFS in the last year. These AFS users report finding nonbank financial services more convenient, faster, and less expensive than traditional banks.
Every day, many new types of nonbanks, including telecom firms, are entering the payments space, as we noted in this 2009 post on mobile money transfers. More recently, social networks like Facebook and PayPal-like payment business models such as Dwolla are entering the fray. Regulators of money transfer operators are working diligently to ensure that the myriad of new firms in the business are appropriately licensed and regulated. The fast pace of nonbank entry is creating a confusing regulatory environment and potential vulnerabilities that bad actors may find opportunities to exploit.
The growing appeal of prepaid
The 2011 FDIC report also notes that the unbanked and underbanked households rely on prepaid cards more than do fully banked households. One in 10 households overall reported the use of a prepaid card. The proportion of unbanked household that have used a prepaid card climbed from 12.2 percent in 2009 to 17.8 percent in the last survey.
The fact is, prepaid card adoption has been on the rise for some time. The Fed's last triennial payment study reported it to be the fastest growing retail payment method. The expanded functionality for prepaid payments today make them practical for many uses, including payroll, travel, and the provision of benefits. Consumers can purchase prepaid cards from merchants and other nonbank locales where they might be more comfortable than they would be in a traditional financial institution.
This is all good news in the context of financial inclusion and expanded opportunity for the unbanked to participate in the electronic economy and shift from more informal transfer methods. However, payments experts still have concerns. In particular, there is the risk that violators of money laundering laws may go undetected as stored-value payments move from the plastic card to other access devices such as mobile handsets. FinCEN and other regulators will need to keep these issues front of mind as adoption grows and more nonbanks participate in the prepaid industry.
Implications for policymakers and financial institutions
The report concludes that one particularly noteworthy lesson for banks to consider is the need to make traditional financial products more convenient, faster, and less expensive in order to compete with AFS. They should try harder to appeal to the under- and unbanked by providing expedited availability for deposited funds to compete with check cashers. The report even goes on to say that banks might find it useful to promote mobile technology to increase convenience, the most commonly reported reason that households use nonbank check cashiers. With the growing use of prepaid cards for both federal and state government benefits, astute financial institutions may recognize other opportunities to provide prepaid services that may eventually shift the unbanked and underbanked to more a formal banking economy.
However, one clear trend is that technology is driving entrepreneurship in payments delivery methods in unexpected ways, with new AFS services announced all the time. In the long run, AFS may not be considered alternative any more, shedding the negative reputation that label traditionally implies. If new payments are cheaper and faster, perhaps they deserve a less jaundiced eye.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Alternative Financial Services Grow, and So Do the Unbanked and Underbanked:
August 13, 2012
Tourism Traffic Boosts Prepaid Cards
Prepaid cards, at least until 2010, were the fastest growing payment method in the United States, according to the Fed's latest payments study. Their use is also growing in other markets, including Latin America in general and Brazil in particular, especially for funding tourism activities. Brazilian tourists are increasingly choosing rechargeable prepaid travel cards loaded with U.S. currency over cash. Interestingly, U.S. banks are also realizing economic benefits from tourists' move from cash to prepaid cards.
Growing South Florida tourism drives Brazilians to spend more
Brazilians make up the second largest tourist group to Florida, next to Canadians (3.3 million of whom visited the United States in 2011). Last year, approximately 1.5 million Brazilians visited Florida. They spent more than a billion dollars total, with a per-visit amount typically exceeding $5,000. Altogether, the Fed Atlanta's Miami Branch paid out $1.7 billion U.S. dollars to Brazil.
A number of factors are contributing to the rise in Brazilian tourists to Florida, including the high number of available flights, expedited processing for travel visas, significantly lower prices for many designer brands coupled with the absence of Brazilian import tax, and relatively cheaper real estate prices.
Brazilian tax rule, other factors influence credit card spending abroad But why are these tourists increasing choosing to use prepaid cards? In 2011, the Brazilian government imposed a new financial operations tax of 6.38 percent on foreign transactions made with Brazilian-issued credit cards. The tax, called the IOF—short for Imposto sobre Operações Financeiras—makes using credit cards abroad very unattractive for Brazilians.
Prepaid travel cards also offer more favorable exchange rates, and they insulate consumers against rate fluctuations by offering a fixed exchange rate on all purchases.
Banks in Brazil also benefit from prepaid cards used abroad. Transportation and custody expenses make it costly for Brazil's commercial banks to obtain and hold U.S. dollars. As a result, these banks are actively promoting prepaid cards. U.S. commercial banks quickly seized the opportunity to compete with their Brazilian counterparts by rolling out marketing campaigns in Brazil promoting the benefits of prepaid travel cards for U.S. travel.
All these conditions and incentives have combined to create a 50 percent rise in travel card applications by Brazilians shortly after the tax regulation was introduced.
Brazil offers an interesting case study of the growth in the use of prepaid payment cards. Just as U.S. consumers beyond the unbanked are recognizing the ease and convenience of this payment device, so are international consumers.
By Paul Graham, assistant vice president and branch operations officer, Miami Branch of the Federal Reserve Bank of Atlanta
TrackBack URL for this entry:
Listed below are links to blogs that reference Tourism Traffic Boosts Prepaid Cards:
April 23, 2012
Consumer protection: What to do when the consumer’s the threat?
How much for a cockroach in my take-out? What should the burger joint give me for gaining weight from eating their cheeseburgers? Consumers seeking a quick payday through frivolous lawsuits are old news in the food industry. What you may not know is that financial institutions must battle the same problem, as malicious actors twist consumer protection legislation for their own profit.
An American Banker article described how a federal court in Pennsylvania dismissed a lawsuit brought against a credit union claiming that one of their ATMs lacked a mandatory Electronic Funds Transfer Act (EFTA) sticker disclosing fees. This was just one in a string of lawsuits filed by the same plaintiffs. Some financial institutions have decided to settle instead of taking their chances in court. Some of the plaintiffs mentioned in the American Banker article have apparently decided to make a living by scoping out ATMs where stickers have fallen off or been removed, making transactions at these machines, and then filing suit against the unsuspecting operator.
This consumer behavior represents a type of second-order compliance risk. In addition to the formal consequences of noncompliance with regulation, financial institutions (FI) must also consider that some bad actors may attempt to undermine their compliance efforts. As a practical matter, FIs can manage this risk by validating EFTA compliance each time the ATM is serviced. As the machine is being refilled with cash and receipt paper, servicers should check for the disclosure sticker and have extras on hand in case it has been removed. The FI should maintain records of verification and/or replacement.
These lawsuits also raise larger questions. The other week I blogged about how the Federal Reserve has at times attempted to correct market failures in the payments industry. However, the unintended consequences of legislation discussed in this post demonstrate that government failure is also a risk. Government failure is any time that a government intervention to overcome a market failure results in a less efficient outcome than if no action had been taken. The case of these ATM vigilantes shows that legislation meant to protect the consumer can sometimes be used to justify wasteful lawsuits. In addition to determining if there is a legitimate market failure to correct, policymakers also need to consider the potential for government failure and unintended consequences of regulation before passage.
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Consumer protection: What to do when the consumer’s the threat?:
April 16, 2012
Online and mobile banking create many front doors
"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.
An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.
The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.
Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.
Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.
Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.
Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.
Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.
Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.
With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.
By Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Online and mobile banking create many front doors:
March 05, 2012
Generations of payment innovations
Bob Kennedy is a director and payments expert in the Fed Atlanta's supervision and regulation department. As Bob prepares for retirement next month, we sat down to talk about his thoughts on the retail payments environment in the United States.
P&R: Bob, you've gained a reputation in industry circles as an expert in the payments field and a frequent speaker at industry events with a long and distinguished career in bank supervision. Can you tell us a little about your background and your retail payments experience?
Bob: I actually come from a banking family. My grandfather actually set up a bank in the 1890s in a small town in rural Alabama to provide simple financial services to businesses and over time it grew and expanded to more consumer-based financial services. My father took over the business and employed me as early as age 12 on the teller line one day a month after school, authenticating customers who came in to cash their social security checks.
Payment services were pretty simple back then. At our little bank, customers had traditional demand deposit accounts but we did not issue checkbooks. So when they wanted to make a purchase at a merchant they would use counter checks and fill in their account information. The merchant would call my father at the bank to verify the customer's identity and funds availability.
By the 1960s, things were getting more complicated. Our customers were starting to shop more in nearby cities, so they asked us for preprinted checkbooks. My father lost an important control when we started to issue these, but we recognized the need to change with our customers so we could keep their business. Then in the 1970s, our customers demanded credit cards. The point of this history summation is that the family bank had to change to adapt to consumer demand. The same holds true today as we continue to see disruptive forces that are changing the payments business.
P&R: How would you characterize the general landscape today for bank adoption of emerging retail payments?
Bob: I would characterize the landscape as exciting because nothing is static—there is a lot going on, and we're seeing community banks beginning to adopt new types of payments. Banks are adapting to consumer demand, as before, but at the same time they need to be able to find a reward for providing the product or service, and that's in the form of revenue or customer retention. They have to have a use case for offering new services.
One of the biggest drivers of change in retail payments these days is the demand for payments data, which has become a virtual treasure trove in the sense that it provides tangible evidence about consumer decisions about products and services. A consumer who buys something has made a clear decision about the product, the retailer, and the date and time when he or she makes the purchase. This is why data mining is becoming so important to merchants in developing marketing strategies.
For example, a large retailer with a decoupled debit card may obtain information about individual consumer spending habits that it uses to help understand future potential consumer choices about products and services. According to a recent article by Charles Duhigg in the New York Times, this retailer has collected tons of data on every regular customer they have. With a "Guest ID" that the store assigns to these regulars, they track everything they buy. I believe this is why a lot of big nonbank firms like Google and PayPal are trying to establish a foothold in retail payments through the introduction of new payment channels. They recognize the monetary value of payments data at the point of sale.
P&R: What are the primary risk concerns for banks in retail payments today?
Bob: There are multiple risks for banks to consider, including operational and liquidity risks. Clearly, for U.S. banks, strategic risk is critical today with nonbank firms introducing disruptive innovations and evolving as a competitive force for banks that must remain relevant and profitable at the same time. They are forced to continually assess their business models as a result. On the positive side, we are seeing new partnerships. I read about the new alliance with Regions Bank and Western Union, leveraging each firm's agent or branch networks to provide remittance and banking services on a complementary, cross-selling versus competitive basis.
That brings us to vendor management. With banks outsourcing and partnering with nonbank, third-party firms, increased oversight for those relationships is required, along with more expertise at the bank level. For many community banks, hiring that level of expertise is challenging, and they need to rely on the risk management services from their core processors.
In addition, liquidity risk for banks in this new payments landscape has been heightened by the more rapid clearing and settlement of payment files.
Finally, security and privacy are big issues for U.S. financial institutions today, not only from a regulatory perspective but also—more importantly—from the need to protect the bank's reputation among its customers as a trusted payments partner.
P&R: What trends should industry stakeholders watch going forward?
Bob: Technological advancements are making our retail payment systems more effective, efficient, and easy. U.S. banks are doing a good job and approaching these new services and partnerships with sound due diligence. Retail payments will continue to change going forward, with disruptive services and nonbank firms appearing in ways we cannot predict. I think it will continue to be an exciting area to watch for a long time.
TrackBack URL for this entry:
Listed below are links to blogs that reference Generations of payment innovations:
January 17, 2012
How risky? The elements of an effective payments risk management program
Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.
He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.
Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.
Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.
Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:
- Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
- Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
- Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
- Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.
The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."
DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.
To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program:
November 21, 2011
Remote deposit capture: If you expand it, will fraud come?
It has been nearly two years since Portals and Rails focused on remote deposit capture (RDC). In just this short period, the RDC market has grown significantly and changed rapidly. This growth and change has led to approximately 13 percent of checks being deposited as images at the bank of first deposit, according to the 2010 Federal Reserve Payments Study. In addition, financial institutions and banks, which initially offered RDC capabilities primarily to their commercial customers, are now broadening these services to include their retail customers. Even the hardware used for RDC is evolving from desktop scanners to mobile phones. Despite this growth and evolution, RDC fraud has been minimal, much as my colleague, Cindy Merritt, discussed in an April 2009 post.
According to a new Celent report, the commercial RDC market is nearing maturity, with an estimated 75 percent of U.S. banks and 50 percent of U.S. financial institutions offering at least one RDC service. Given this mature commercial market, any future growth of RDC services should be expected via retail consumers. This growth will come from the adoption of retail RDC services by banks and financial institutions as well as the expansion of the service into new payment products—most notably, prepaid cards. As RDC usage expands to more retail consumers and additional payment products, we have to wonder if fraud associated with it will rise or continue to be held under control.
Current risk assessment
According to the 2011 Payments Fraud and Control Survey from the Association of Financial Professionals, only 1 percent of surveyed organizations responded that someone had used their electronic check conversion service to commit fraud. This figure is unchanged from the 2009 survey.
A similar assessment of RDC fraud recently emerged from the Financial Crimes Enforcement Network (FinCEN). FinCEN analysts identified 1,017 Suspicious Activity Report (SAR) filings related to RDC that banks and credit unions filed between January 1, 2005, and July 31, 2011. More than half of these reports were filed after the start of 2010. These 1,017 RDC-related SARs account for only about 0.1 percent of all bank-filed, check-fraud-related SARs. FinCEN found no real differences between the RDC channel and more traditional check depositing channels when it came to fraud schemes (for example, check kiting and counterfeit or altered checks).
Will the low level of fraud be sustainable as the service grows?
To date, banks and other financial institutions have successfully managed risks for commercial RDC services. Whether by restricting the use of the service to only its most vetted commercial clients or limiting the value of allowable remote deposits, banks have implemented risk controls to effectively minimize their risk and fraud exposure associated with RDC.
Banks and financial institutions are now beginning to cast the RDC net into their retail channels. Ally Bank offers its retail customers RDC through the traditional scanner and computer model, while USAA, J.P. Morgan Chase, PNC Bank, and U.S. Bank all now offer mobile RDC for retail consumers. Bank of America is targeting a second-quarter 2012 launch for its retail mobile RDC service. With banks and financial institutions expanding this service to a retail customer base that often undergoes less stringent due diligence than do their commercial customers, is the potential for fraud increasing?
The general-purpose reloadable (GPR) prepaid card market offers a significant growth opportunity for mobile RDC. With this service, GPR prepaid cardholders—many of whom are unbanked—would be able to load funds directly onto their prepaid cards without having to walk into a store, in the same way the service now allows banking customers to deposit checks into their direct deposit accounts.
According to a recent paybefore.com article, several third-party service providers have the risk-management software to enable mobile RDC for the prepaid industry. Interestingly, these third-party software providers will accept the risk of the mobile RDC transactions, taking the responsibility from the prepaid program manager or issuer. However, the inherent dearth of information about GRP prepaid users compared to retail and, especially, commercial banking customers makes RDC services more vulnerable to fraud with this group. In fact, prepaid card users may be unbanked because they have a poor, or no, credit history or they lack appropriate identification and credentials to open a banking account.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Remote deposit capture: If you expand it, will fraud come?:
October 11, 2011
High-impact events in a warming world: Business continuity planning for retail payments
Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.
Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.
Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:
The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.
The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.
In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:
May 02, 2011
The check's in the mail, but it might be fraudulent
Amid the constant hubbub of emerging fraud schemes, research shows us that criminals are rational consumers of the nth degree. They instinctively move to the path of least resistance. While the exciting and glamorous fraud topics today involve wire fraud, account takeovers, ID theft, and skimming, the results of the Association for Financial Professionals' (AFP) annual corporate fraud survey remind us that the most fraud vulnerable instrument available today is the paper check. Why? Because check fraud is a decidedly low-tech practice whose ingredients include a bit of thievery, a good copying machine, and possibly, but not necessarily, some magnetic ink.
Corporate experiences with check fraud
The AFP's study tabulated survey results from around 400 public, private, nonprofit, and government organizations across a wide range of sizes. Over 70 percent of the respondents reported that they had been the victim of fraud in 2010. Of those, 93 percent reported fraud involving checks, compared to 25 percent with ACH debit fraud and 23 percent with consumer card fraud. Moreover, of the fraudulent methods used, checks also experienced the highest rate of increase, with 30 percent of organizations reporting an increase in check fraud. And check fraud accounted for 53 percent of the reporting organizations’ financial losses. Interestingly, while actual fraud losses were deemed to be modest in total dollar terms, 84 percent of the respondents had made efforts to protect themselves against check fraud by implementing positive pay controls on their corporate accounts; 53 percent had implemented payee positive pay.
Bank experiences with check fraud
The corporate responses synchronized well with the results of the American Bankers Association's (ABA) last deposit account fraud survey in 2009. At that time, 80 percent of respondent banks reported check fraud losses totaling over $1 billion, which is 23 percent higher than losses experienced with debit/ATM cards. Interestingly, there seems to be little evidence in the ABA report or elsewhere to indicate that check fraud stems from abuse of new technology. At the outset of the implementation of the Check 21 legislation, many industry pundits forecasted that losses would climb as a result of widespread implementation of remote deposit capture (RDC) technology, but it appears such has not been the case. In fact, several large banks, emboldened by the experiences of pioneers such as USAA, have even extended remote capture into the homes of their depositors who are armed with the latest in RDC technology—the smart phone.
Yet, there are growing concerns within the industry that the "gild may be off the lily," as the bad guys learn more about the opportunities. A friend and Sunday school classmate of mine who works for a large national bank reported to me that they had been beset over the past few weeks with an interesting scheme involving new account fraud and checks. Individuals have been opening new accounts and obtaining a debit/ATM card at the outset. After making a modest deposit of good funds to open the account, the new customer then used their ATM card to deposit several counterfeit checks at ATM locations. Per the bank’s policy, some or all funds were made available to the customer immediately (depending on the dollar amount of the check). The customer took advantage of that fact, withdrew the maximum amount possible the next day, before the return deadlines, and then walked away (well, one actually complained because not all funds were made available, but that’s another story, involving criminal indignation).
The unit cost of fraud and fee revenue deliberations
The upshot of all this is that there is a lesson to be learned. Just because we see checks as a diminishing-use instrument doesn't mean we should let our guard down whether we are a consumer, a corporation, or a bank. In tough economic times, a billion-dollar loss to the banking industry is still an expensive ticket. Having just wrapped up the Federal Reserve's 2010 Retail Payments Study, I was interested in exploring fraud from a slightly different angle by looking at the average fraud per check written in the United States. While not all industry surveys align perfectly with respect to samples, time frames, response levels, and so forth, they are close enough to produce some interesting observations. Further, such a calculation might help us understand what the actual "fraud tax" is on checks as banks consider future check service fee issues.
The 2009 ABA study estimated that 760,955 cases of check fraud took place in the 2008 reporting year, with actual losses estimated at $1.024 billion. Compare these numbers to 561,306 cases and $969 million in the 2006 study and 616,469 cases and $677 million in the 2003 study. The concurrent Fed payments studies in 2004, 2007, and 2010 estimated the number of checks written in the United States at 37.6, 33.1, and 27.8 billion, respectively. Doing the math reveals that the per-item cost of fraud losses has gone from $.018 to $.029 to $.036 (unadjusted for inflation). Said differently, the unit cost of fraud for every check written has doubled in six years to 3.6 cents per item even as aggregate check volume has fallen by 26 percent. By the way, this figure represents the costs of fraud losses, not the total cost of fraud management for the check world.
In summary, while the industry debates the issue of the cost of fraud management in the Durbin debit card interchange regulation, perhaps similar scrutiny should be applied to the cost of fraud management in the check world as check volume diminishes. Somewhere out there is an opportunity to adopt an overall fraud management fee strategy as yet another arrow in the quiver of strategically leading customers to payments choices that make sense for the bottom line of a bank.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference The check's in the mail, but it might be fraudulent: